Marriott may possibly contend that the breach took place in 2014 and so was perpetrated years before GDPR became law, but my very basic understanding of the Regulation would suggest that if it were proven that material was still being taken by hackers after May of this year, then GDPR most definitely applies.
Campaign has been asking the question over the weekend and Forbes has been giving the answer that yes, this is a GDPR breach. An investigation, it suggests, has shown that data was stolen on or before September 2018 and the likelihood is that GDPR will apply.
This is big news. Regular readers of this column will know that I have long predicted marketers need not be as worried by GDPR as cybersecurity teams. With enough leeway in the law to allow people carrying on using data lists, it was more likely that firms would receive the big fines for losing information rather than using it.
It is inconceivable that there are not many EU citizens among the up to 500m people who are said to have email, payment and address details taken by hackers. It is almost certain that if the software had lain dormant on the hotel chain's computer systems stealing data quietly, it was still doing so -- or capable of doing so -- after May's introduction of the GDPR.
So far the ICO has restricted itself to a very short statement that it is aware of the breach and advises the public to protect their data online. Don't know about you, but this advice always makes me laugh when one considers that we all hand over contact and payment details to big companies because we entrust them to have decent security, and there is no other way of dealing with them. I'm really not sure how far you would get booking hotel rooms and refusing to enter your card or contact details, promising to pay cash at reception instead.
I have found it impossible, even if you turn up on the day, not to have to hand over a credit card so its details can be held against my room. Other than sleep on the streets after a conference, then, I'm not too sure what we're supposed to do.
It probably goes without saying but we're now in the era of huge data breach fines of up to 4% of global revenue. Much will now depend on how well Marriott is deemed to have handled disclosure of the breach, and how quickly it warned customers and what it has done to make up for the loss of data.
To the outside observer, it would appear that Marriott Starwood has come clean about the attack and is offering customers help in finding out whether their personal information has been hawked on the internet by cyber criminals.
So my best bet is that there will need to be an EU investigation, and that could result in a fine. I'm not so sure about the eye-watering 4% of global sales fine, however. That has to be reserved for companies who don't disclose a breach to the authorities or don't warn customers -- or even both.
It looks like Marriott Starwood has fulfilled its obligations and now has to live with the fact that it looks pretty dumb to have been potentially leaking customer data for four years without noticing as it braces for the very real prospect of a large fine.
I can't see it being the maximum, though, and we'll need a real rogue trying to cover their tracks before 4% becomes a reality rather than a deterrent hidden under the ICO's desk.